cbcvebase.
CVE-2023-46214
published 2023-11-16

CVE-2023-46214: In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that…

PriorityP181high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
89.07%
99.8th percentile
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet language transformations (XSLT) that users supply. This means that an attacker can upload malicious XSLT which can result in remote code execution on the Splunk Enterprise instance.

Affected

6 ranges
VendorProductVersion rangeFixed in
splunkcloud< 9.1.23089.1.2308
splunksplunk>= 9.0.0 < 9.0.79.0.7
splunksplunk>= 9.1.0 < 9.1.29.1.2
splunksplunk_cloud>= - < 9.1.23089.1.2308
splunksplunk_enterprise>= 9.0 < 9.0.79.0.7
splunksplunk_enterprise>= 9.1 < 9.1.29.1.2

Detection & IOCsextracted from sources · hover to see the quote

url/en-US/splunkd/__upload/indexing/preview?
otherContent-Type: application/xslt+xml
otherx-requested-with: xmlhttprequest
otherx-splunk-form-key:
filename*.xsl
commandrunshellscript
snort
ET WEB_SPECIFIC_APPS Splunk Enterprise < 9.1.2 XML Injection (CVE-2023-46214); flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|en|2d|US|2f|splunkd|2f 5f 5f|upload|2f|indexing|2f|preview|3f|"; fast_pattern; content:"props|2e|NO_BINARY_CHECK|3d|1"; content:"input|2e|path|3d|"; http.header; to_lowercase; content:"x-requested-with|3a 20|xmlhttprequest"; content:"x-splunk-form-key|3a 20|"; http.request_body; content:"|2e|xsl"; content:"Content-Type|3a 20|application/xslt+xml"; sid:2057031; rev:1;
  • Look for HTTP POST requests to the Splunk upload/indexing/preview endpoint (/en-US/splunkd/__upload/indexing/preview?) containing a .xsl file upload with Content-Type: application/xslt+xml — this is the primary exploitation path for the malicious XSLT upload.
  • Detect presence of both 'x-requested-with: xmlhttprequest' and 'x-splunk-form-key' headers in POST requests to the upload endpoint, which are characteristic of the exploit's HTTP request structure.
  • Monitor Splunk for invocations of the 'runshellscript' capability following an XSLT file upload, as the exploit chains the upload with this built-in capability to achieve RCE.
  • Alert on successful authentication with default credentials (admin:changeme) followed by XSLT upload activity, as exploitation requires valid credentials and default creds are the common entry point.
  • ·The Snort/Suricata rule (sid:2057031) requires TLS decryption to be effective, as indicated by the metadata tag 'tls_state TLSDecrypt' and deployment tag 'SSLDecrypt'. Without TLS inspection, encrypted Splunk traffic will not be inspected.
  • ·Exploitation requires authenticated access to Splunk Enterprise. Detections focused solely on unauthenticated traffic will miss this attack vector.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.